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Overview University 





= Driver Assistance: 

e Help human drivers be better & safer 
= Driver Automation: 

e Vehicle actually drives 
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= Compare & contrast 
e Safety argument implications 





e Technology challenges 5 Siftiss//on. geoteratiz 


= Start with: 
e Automation modes for non-engineers 
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Assistive: Help the Driver Drive Mellon 


_ University 


= Better execute driver commands 
e Anti-lock brakes 
e Electronic stability control 


= Momentarily intervene for safety 
e Automated emergency braking 
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= The driver is responsible for safety 
e The vehicle obeys driver intent 
e Interventions to improve driver performance 
e Functional safety covers equipment failures (ISO 26262) 
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Supervised: Driver Monitors for Safety Hallet 


University 


= Vehicle (mostly) does the driving __ “7 
e Speed control & lane keeping L Glee | 





EL by 
= Human driver responsible for safety \N 
e Intervene to handle edge cases ‘ 


= Driver monitors and intervenes 
e Vehicle must let driver intervene when needed (ISO 26262) 
e Effective driver monitoring required for automation complacency 
e Safety Of The Intended Function (SOTIF) (ISO 21448) helpful 
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ADAS Safety — Helping the Driver ey 


= Proper functionality helps driver 
e Reduce driver stress, control mistakes 


= Active safety can help «<i as | <— 
e Helps avoid crashes — fs 
e Tune to avoid false activations 
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= Arguably, good enough active safety 
e ADAS claims credit for safety; human blamed for crashes 

e BUT: avoid unreasonable demands on human drivers 
— Unaided humans are terrible at monitoring boring automation 
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| Automated: The Car Drives - Neln 


University 


= Vehicle drives & handles safety 
e Driver need not pay attention to driving 
e Driving problems nofdumped onto driver 





= The vehicle responsible for driving safety 
e By definition: 
collisions are not fault of a human driver 


= Tension between safety and permissiveness 
e False non-detections (false negatives) generally hurt safety 
e False detections (false positives) generally hurt permissiveness 
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Autonomous: No Human Oversight ge 
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= Vehicle handles driving & vehicle safety 
e There is no driver; no human supervision 
e Ensures passenger & cargo safety m4 { 
e Handles non-driving issues (e.g., post-crash) fA <4 
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= The vehicle is responsible safe operation 
e Human does not help with safety 
e OK for vehicle to get help if it initiates request all on its own 


= Adds requirement for non-driving sensing (UL 4600) 
e Passenger safety; cargo safety; vehicle equipment status 
e Beyond scope of Automated Driving System Levels in J3016 
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= Assistive & Supervised 
e Driver attention required 
e Vehicle responds to driver 
e Vehicle blame for unsafe intervention 
— Incentive for vehicle to under-perform 





Vehicle Automation Modes 


= Automated & Autonomous 
e No human attention on driving 


— Vehicle cannot count on human intervention for driving safety 
e Mode changes are requests, not demands by vehicle 
— Human actively confirms responsibility 
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Driver Mode Transitions Mellon 


_ University 





= Mode confusion is a problem 
e Driver positive acknowledgment 
e Request user attention, not “demand” 
= Example issues: tro 
e Supervised changes to Assistive 
— Driver thinks vehicle is still steering 
e Automated changes to Supervised 
— Driver takes extended time to regain situational awareness 
— “Captain of ship’ does not have a full driving license 
e Autonomous changes to Automated 


— Attendant rouses then falls back asleep (sleeps through alarm) 
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Vehicle Automation Modes 
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Automation Safety Challenges aes 
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= Assistive 

e More uniform adoption of ISO 26262 
= Supervised 

e Safety credit if low false positives 

e Effective driver monitoring 
= Automated 

e SOTIF, scenario completeness & coverage ADAS GETS 

, ; rie SAFETY CREDIT 

e Sensor fusion, perception, prediction 

e Blamed for false negatives 
= Autonomous 

e UL 4600 coverage: drivers do more than drive © 2021 Philip Koopman 11 
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Component Safety Challenges ent 


= Positive Trust Balance: PT hs 
e Engineering Rigor, Validation, Feedback, Safety Culture 4 line 
e Standards-driven safety eS 


= Safety Performance Indicators (SPls) 
e Integrators asking for component safety cases 
e Field feedback: development; deployed 


= Scalability past pilot vehicles 
e Accurate perception/prediction is still work in progress |“ 
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e Transition from brute force data to safety case te Penk ned 
e Key point: avoiding multi-sensor correlated failures 
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Organizational Safety Challenges ae. 


University 


= Significant pressure to deploy 
e Flurry of empty driver seat demos in 2020 
e Can teams take the time needed for safety? 


= Industry transparency needed 
e Safety collaboration rather than competition 
e Public trust in face of an adverse news event 





= Ensuring robust safety cultures Yaron dengp Wea hugrA bor Bus 202 
e Robotics meets automotive engineering 
e Silicon Valley culture + automotive culture + no human driver 
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